The Groups log of Symantec Encryption Management Server, available from the admin interface under Reporting / Logs continuously displays an error message containing the phrase "Ldap Rule with No Attribute Value pair".

The /var/log/ovid/groupd-YYYY-MM-DD.log file and the admin interface display errors similar to this:

2015/01/06 12:41:03 +00:00  ERROR  pgp/groupd[2434]:        GM2-00000: Caught an exception wile loading rule d84316b7-5ffb-4dc3-8c40-3a80c42ec65d details. Errod detail: Ldap Rule with No Attribute Value pair.

In Symantec Encryption Management Server, users can be assigned to groups using LDAP Directory Synchronization rules. Typically, users will be assigned to SEMS groups based on their membership of Active Directory security groups.

Under some circumstances, probably as a result of very high server load and replication problems, changes to the group membership rules are not saved correctly to the relevant tables in the database. This can result in some records not being deleted and "orphan" records remaining in some tables.

When the regrouping service runs, it cannot process these orphan records and an error message is generated.

There are several possible ways to resolve this issue. Please try each in turn:

1. In the admin interface, click on Groups then on the name of the group.
2. Click on the Group Settings button.
3. Click on the Save button.
4. Repeat the above steps for each group name.
5. Check the Groups log to see if the error messages cease.

If the messages continue, carry out the following steps:

1. In the admin interface, click on Groups then on the name of the group.
2. Click on the Group Settings button.
3. Click on the Membership tab.
4. Make a note of the membership criteria, particularly the Attribute and Value pairs for each rule. Copy and paste this information to a text file.
5. Delete the membership criteria including all Attribute and Value pairs.
6. Click on the Save button.
7. Edit the membership criteria again and add back all the original rule information from the text file.
8. Click on the Save button.
9. Repeat the above steps for each group name.
10. Check the Groups log to see if the error messages cease.

If the error messages continue, please contact Symantec Technical Support who can delete the orphan records from the underlying tables.

Applies To

Issue observed in Symantec Encryption Management Server 3.3.2 MP1 but other releases are very likely to be affected.